Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Microsoft Privacy Security The Courts

Microsoft Calls For 'Digital Geneva Convention' (usatoday.com) 148

Microsoft is calling for a digital Geneva Convention to outline protections for civilians and companies from government-sponsored cyberattacks. In comments Tuesday at the RSA security industry conference in San Francisco, Microsoft President and Chief Legal Officer Brad Smith said the rising trend of government entities wielding the internet as a weapon was worrying. From a report on USA Today: In the cyber realm, tech must be committed to "100% defense and zero percent offense," Smith said at the opening keynote at the RSA computer security conference. Smith called for a "digital Geneva Convention," like the one created in the aftermath of World War II which set ground rules for how conduct during wartime, defining basic rights for civilians caught up armed conflicts. In the 21st century such rules are needed "to commit governments to protect civilians from nation-state attacks in times of peace," a draft of Smith's speech released to USA TODAY said. This digital Geneva Convention would establish protocols, norms and international processes for how tech companies would deal with cyber aggression and attacks of nations aimed at civilian targets, which appears to effectively mean anything but military servers.
This discussion has been archived. No new comments can be posted.

Microsoft Calls For 'Digital Geneva Convention'

Comments Filter:
  • Because theirs is by far the most architecturally broken and bodged, therefore most insecure and vulnerable OS.

    • by Anonymous Coward

      Windows' architecture isn't the problem. From that standpoint, it's really no better or worse than any other OS at any level. (Rage all you want, Linux zealots, but it's true.)

      Windows' user base is the problem. Let me count the ways...
      1) They don't want to know how to use a computer. This is the electronic equivalent of not wanting to know how to operate (much less maintain) a car or follow traffic laws, but still wanting to drive on public roads. Fortunately, it's uncommon for people to die because a compu

      • by Anonymous Coward

        I'm not discounting the majority of your post, but this:

        "Because of this, Windows is full of shims and hacks to keep old shit working."

        Is simply not true. *Everything* in Windows is hacked together garbage, even the new stuff.

        Exhibit A [slashdot.org].

        • All right, so you have 32-bit Windows. It puts stuff in C:\WINDOWS\SYSTEM32. You then bolt on 64-bit Windows. Do you put the 64-bit stuff in C:\WINDOWS\SYSTEM64? Not if you're Microsoft. For them, the correct answer is to put the 64-bit stuff in C:\WINDOWS\SYSTEM32 and put the stuff for 32-bit programs that turn them into 64-bit calls into C:\WINDOWS\SYSWOW64
        • by bondsbw ( 888959 )

          Your link has nothing to do with "new stuff". It is literally dated 2006... you know, when that strategy was put into effect.

      • I actually want a Home product that is maintainable. I have health problems though, so my cash is at a premium. I try to make use of Home, but there are features of Pro that would make my life easier in maintaining my and my mom's computers. Then there's no product for maintaining home devices. For that matter, diagnostic messages and recovery procedures of devices and software are garbage. My phone today would attempt to connect to my home network and then not do it. No error message or anything.
      • by JustNiz ( 692889 )

        >> Windows' architecture isn't the problem. From that standpoint, it's really no better or worse than any other OS at any level. (Rage all you want, Linux zealots, but it's true.)

        No it really isn't true. Just 3 examples (believe me there are many more):
        * Unlike Linux, with Windows there is no real divide between apps and the OS. With Windows, apps and OS both keep their settings in a shared place called the registry that either can access and change. Under Linux, each app generally has its own unique

  • Makes sense (Score:4, Insightful)

    by AmiMoJo ( 196126 ) on Tuesday February 14, 2017 @01:06PM (#53867055) Homepage Journal

    If you want peace you need to start by committing not to attack the other side, only to ever defend yourself.

    • by Lead Butthead ( 321013 ) on Tuesday February 14, 2017 @01:36PM (#53867311) Journal

      "Well, the best defense is a good offense. Do you know who said that? Mel the Cook on Alice."

  • Maybe we should restore general law literacy first. The way things currently are, law is enforced strictly at the whims of the powerful.
  • by downright ( 1625607 ) on Tuesday February 14, 2017 @01:11PM (#53867095)

    Just as long as.... as unleashing Clippy on the world is deemed a war crime.

  • by xxxJonBoyxxx ( 565205 ) on Tuesday February 14, 2017 @01:12PM (#53867107)
    Why not a "digital land mine treaty" while we're at it?
  • by Anonymous Coward

    Perhaps there's a good reason to call it a 'digital Geneva Convention' - It's basically a nice guideline to point to that the US browbeats others with, only to fail to ratify into law and enforce themselves.

    Without an enforcement body, this is meaningless. Who would you trust to enforce it anyway, MICROSOFT? Why not just call it a digital waste of time.

    • by Rakarra ( 112805 ) on Tuesday February 14, 2017 @02:20PM (#53867717)

      The US is a signee of all four Geneva Convention treaties. There were three additional protocols, though the US has only ratified the third, but not the other two. The various treaties that the US has signed:
      GC I: Amelioration of the wounded and sick in the armed forces (1949)
      GC II: Amelioration of the wounded, sick, and shipwrecked in the naval forces (1949)
      GC III: Treatment of prisoners of war (1929/1949)
      GC IV: Protection of civilian persons in times of war (1949)
      P III: Protection of anyone wearing Red Cross, Red Crescent, or Red Crystal to denote medical/religious personnel (2005)
      Signed but not ratified:
      P I: Protection of victims of international armed conflicts (1977).
      P II: Protection of victims of non-international armed conflicts (1977)

      The Geneva Convention treaties are signed by a number of countries who seek to use them as a weapon against their enemy ("they broke the convention treaties, they should be tried for war crimes!") while they don't follow them themselves.

      • For a little context, the Hague conventions of the early Twentieth Century are, as far as I can tell, the first codification of the laws of modern war in treaties. I believe they're still the basis for much of it, although those conventions were found a trifle lacking in WWII. The Geneva Conventions, as far as they relate to war, are extensions of the Hague.

  • by ctilsie242 ( 4841247 ) on Tuesday February 14, 2017 @01:22PM (#53867175)

    Good luck with that, MS. The adversaries out there are not just nations who might have something to gain by playing fair or following rules due to game theory, but terrorist groups, criminal organizations, heck, even disaffected college students. Unlike conventional weapons that require expensive physical objects, a massive DDoS can be launched from a cast-off 486 as the top level command console as it can from a high-end supercomputer.

    The main focus needs to be on "Great Wall of xxx", "xxx" being the country. If this isn't thought of now, it will be done by the government when some cyber-terrorism event happens that gets knee-jerk reactions going (think the USAPATRIOT act.) China has their Great Firewall. Iran is building their own Internet. Australia is in the process of building their nationwide firewall. Blocking attacks from other countries is going to be an issue sooner or later.

    A second focus needs to be on LARTing IoT makers to follow a ground up security design. A hub (or hubs for redundancy) and spoke system, so IoT devices do their communication through a hardened hub that only allows the devices to communicate with what sites the signed manufacturer's manifest allows (and 0.0.0.0/0 is not allowed directly.) As it stands now, there is actually a punishment for IoT makers to design any security in their products. Mainly because if v1.0 has a security hole, when IoT maker makes 1.1, all the owners of Device 1.0 will upgrade or else face being pwned. If the IoT maker did updates, they would lose out on that revenue, plus to them, every dollar spent on security is a dollar with no ROI. Unless pressure is placed on IoT makers, we will be seeing exponentially worse DDoS attacks when every fridge, microwave, smart TV, sex toy, and doorbell be used for it.

    • This is what struck me as well. They explicitly want to address government sponsored cyberattacks, while ignoring cyberattacks by everybody else. Interesting approach for a company that has a very cavalier attitude towards privacy

      • This is what struck me as well. They explicitly want to address government sponsored cyberattacks, while ignoring cyberattacks by everybody else. Interesting approach for a company that has a very cavalier attitude towards privacy

        Well only the US Government really has the authority to make MS complicit in such attacks.

    • Good luck with that, MS. The adversaries out there are not just nations who might have something to gain by playing fair or following rules due to game theory, but terrorist groups, criminal organizations, heck, even disaffected college students.

      Just because it does not address every threat doesn't mean that a digital treaty is not worthwhile. For one thing, state sponsored attacks are likely to be far more sophisticated than what "disaffected college students" can do. When the US conducted Operation Olympic Games [wikipedia.org], they set a dangerous precedent in digital warfare. And history shows that rules can be applied to warfare. Not perfectly, to be sure, but perhaps better than no rules at all.

  • Useless idea (Score:4, Interesting)

    by Nunya666 ( 4446709 ) on Tuesday February 14, 2017 @01:26PM (#53867209)
    Thanks to the NSA and CIA, and such "rules" will have so many back doors that they will be useless.
    • Rules get ignored and circumvented. Devices and software have backdoors. I don't see how to make sense attempting to apply the concept in one area to the other.
      • Rules get ignored and circumvented. Devices and software have backdoors. I don't see how to make sense attempting to apply the concept in one area to the other.

        Sorry, poor terminology choice. I should have said "exceptions" or "loopholes."

        • Hoped I helped. Society is already badly frayed and this is an area which could result in Tower of Babel levels of falling out if we don't tend to it.
    • Well how would they know what rules to break if no rules exist? You take the fun out of being a three letter agency!

  • Enforcement (Score:5, Insightful)

    by Oswald McWeany ( 2428506 ) on Tuesday February 14, 2017 @01:37PM (#53867319)

    How do you enforce a digital Geneva convention?

    You unfriend any nation state from your nation's facebook page if they break the convention? The regular Geneva Convention is hard enough to enforce, a digital one will be even harder because it's harder to prove an actor is really from a location or nation. Even if an assailant traced back to Russia is caught breaking the convention online and Russia "fails to catch" the person responsible they can claim he was a Ukrainian acting on behalf of Ukraine from within their borders.

    Even the regular Geneva Convention isn't really respected anymore. You've got the US brazenly violating it in Gitmo. Iraqi troops during the gulf war were violating it. No-one really takes it seriously anymore.

    • Or law in general anymore. Law only gets enforced at the whim of the powerful. For that matter, it's hard to tell what anyone takes seriously anymore, as most people seem to be more eager to be ground underfoot than the people doing the grinding.
    • How do you enforce the non-digital one? ;)

    • How do you enforce a digital Geneva convention?

      You unfriend any nation state from your nation's facebook page if they break the convention? The regular Geneva Convention is hard enough to enforce, a digital one will be even harder because it's harder to prove an actor is really from a location or nation. Even if an assailant traced back to Russia is caught breaking the convention online and Russia "fails to catch" the person responsible they can claim he was a Ukrainian acting on behalf of Ukraine from within their borders.

      Even the regular Geneva Convention isn't really respected anymore. You've got the US brazenly violating it in Gitmo. Iraqi troops during the gulf war were violating it. No-one really takes it seriously anymore.

      How's the US violating it in Gitmo? (I'll give you a hint: the GC covers uniformed soldiers)

  • Nice (Score:4, Funny)

    by iampiti ( 1059688 ) on Tuesday February 14, 2017 @02:34PM (#53867831)
    how about an agreement that forces the OS makers off the user's data? No? You mean you'd have to significantly alter Win 10 to pass those new rules?
  • Hey, Microsoft!

    Start making secure software, redesign the piece of garbage you call an OS to actually have security as something that's not just tacked on and an afterthought and you wouldn't have to cry for mercy now.

  • A guaranteed right for civilians to strike back against state-sponsored attacks that should not be targeting them should be enshrined into law. All forms of warfare. Collateral damage? No fucking longer, because it will be your ass.

  • Does that mean that NSA, FBI, IRS, etc. would not "attack my server?" This is the most
    idiotic idea that anyone ever not thought through. Its a total non-starter. I thought even
    Clintonite Democrats from Washington and California were smarter than that.

  • Article I. The computer belongs to the purchaser of the equipment (Owner) and must remain under his/her full control. Hardware vendor or software author (Vendors) are not allowed to modify the computer's operation to secretly advance Vendor's own purposes, or otherwise degrade the Owner's control over the equipment.
    1. Hardware components and software (Products) must exclusively do what Vendors advertised they would do when sold to Owner. There is to be no secret or hidden functionality which contravenes or
  • Would this make any serious impact though? Vast majority of cyber attacks aren't the life-and-death ones like bringing down the power grid. They are the more gray areas, espionage and theft, that nation-states may not be as quick to sign up for. If anything, many nations, including Western ones, view economic espionage as a civic duty in a global economic zero sum game. Why would they sign up for that? In addition, you nation-states already tend to use "non-state" actors to give them plausible deniabil
  • Are security protocols that broken at larger organizations or is it just Microsoft asking for government protection from improving and finding bugs in their software?

    It's easy to defend against a security attack, you could use perhaps a large amount of sites small enough to be managed by a 2 or 3 man team and then connect those sites with a network that takes different routes around when one goes missing. We could have ARPA develop the thing and call it ARPAnet.

  • The NSA isn't snooping on Facebook and Gmail because they expect to find Chinese and Russian military secrets there. Almost all active conflicts now are asymmetric warfare where at least one of the parties aren't enrolled in regular armies of any kind, it's just people. They don't dress up in uniform, they don't have any particular military infrastructure, they hide among the civilian population in civilian buildings and use civilian tools. The general population's freedom, privacy and anonymity will come u

  • by John.Banister ( 1291556 ) * on Tuesday February 14, 2017 @07:53PM (#53869917) Homepage
    where all the signatory companies agree to spend a minimum percentage of gross profits on making their products secure. And, they could agree to cooperate with other digital defense treaty companies on security matters.
  • Only Microsoft will be allowed to attack and spy on you, without being perturbed or sidelined by these annoying competitors.

    Sorry, that's juvenile and I should know better, but these little outbursts of virtue signalling from them get my goat. And I haven't even got a goat.

You are always doing something marginal when the boss drops by your desk.

Working...